As IT security experts have noted, it’s highly predictable any natural or man-made disaster which fixates popular attention will be exploited to create lures. The specific implementation could be phishbait for a malicious email link or attachment, or it could be clickbait posted on social media which leads to a malware infection, or even targeted reconnaissance through a watering hole attack. The fundamental “vulnerability” is human nature – we care about the disaster event.

It was sadly predictable the MH17 tragedy would be leveraged in this way, just like the MH370 tragedy before it. The threat intel question for defenders of a particular network is targeting and motivation. A few infected endpoints related to some ad serving scam is a nuisance. A spearphishing email that fosters an advanced persistent threat (APT) in your network is an urgent incident.

Together with Rich, we looked at the MH17 aftermath from this perspective. We reviewed the relevant threat history and highlighted prior use of the NetTraveler malcode line, one to watch carefully for MH17-themed attacks. Rich enriched this discussion with infrastructure and CnC specifics developed using the ThreatConnect® Threat Intelligence Platform.